W3C home > Mailing lists > Public > public-identity@w3.org > July 2011

Re: White paper of proposed architecture for NSTIC

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Thu, 21 Jul 2011 08:29:45 +0200
Message-ID: <4E27C759.9020306@telia.com>
To: Francisco Corella <fcorella@pomcor.com>
CC: "public-identity@w3.org" <public-identity@w3.org>, "Karen P. Lewison" <kplewison@pomcor.com>
On 2011-07-21 08:00, Francisco Corella wrote:
> 
> Anders,
> 
> Really, NSTIC is not about PIV, nor about government IT, and it 
> certainly is not a low risk initiative.  If you don't believe me,
> see for yourself at http://www.nist.gov/nstic/ .

Dear Francisco,

I'm pretty versed in the NSTIC initiative.  What I also know is
that he card industry is gearing up as they believe that the
outcome will be physical distribution of smart cards.  Since the
US is also looked upon by the entire world makes NSTIC more
interesting than for example Germany's e-card.

Anyway, due to the limited functionality offered by the leading
US vendors when it comes to two-factor authentication except
using PIV (which you must support), it is hard to see that
NSTIC would go somewhere else.  I have no idea of how projects
like yours and mine could be funded and organized.  Based on
15 years of experience in this field, I think it is easier
solving the middle-east conflict than getting a working
consumer 2FA (2 factor auth) solution off the ground.

Well, Apple can do it and IMO they WILL do it as well.

The financial industry could have done this with almost no
money at all but they didn't.  Why?  Because they cannot fund
anything that other banks can use.  I.e. the phishing problem
is not result of criminals, it is the result of total lack
of interest in solving bigger issues.

Apple (unlike Microsoft) have HUGE ambitions establishing a
new payment infrastructure and this will take authentication
to new heights.  That they define their own silicon makes
it extremely simple bringing out stuff that we other can
only dream about...

If I were VISA I would be quite worried.

Sorry for being negative but NSTIC is already dead in the water.

Anders


> Francisco
> 
>     --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>     *From:* Anders Rundgren <anders.rundgren@telia.com>
>     *To:* Francisco Corella <fcorella@pomcor.com>
>     *Cc:* "public-identity@w3.org" <public-identity@w3.org>; Karen P. Lewison <kplewison@pomcor.com>
>     *Sent:* Wednesday, July 20, 2011 1:23 PM
>     *Subject:* Re: White paper of proposed architecture for NSTIC
> 
>     On 2011-07-20 21:24, Francisco Corella wrote:
>     > Hi Anders,
>     >
>     >> The problem with this and similar efforts is that you need a
>     >> *platform*.
>     >>
>     >> The only party that actually has a platform worth mentioning
>     >> is Apple with their iPhone.
>     >>
>     >> Popular, can host credentials, can be on-line provisioned,
>     >> great connectivity.
>     >
>     > Why do you need a platform?  Why can't the browser manage
>     > your credentials (whether or not they are stored in a smart
>     > card).
> 
>     In the context of NSTIC we are probably talking about high-value
>     credentials.  So far such have come in "hard cases".  Browsers
>     could theoretically manage/provision credentials in smart cards
>     but neither the browser vendors nor the card vendors have shown
>     any interest in that.  My personal view is that it is *infeasible*
>     using the cards we have today because they were never designed for
>     end-user provisioning.
> 
>     Microsoft's "CertEnroll" doesn't even support PIN-codes to soft
>     tokens so we are pretty far away from gov/bank stuff.
> 
>     >> Unfortunately I don't think the NSTIC people are prepared
>     >> shelling out any money except on projects using their "own"
>     >> platform, i.e. PIV.  This platform is severely constrained
>     >> and does neither support multiple credentials nor on-line
>     >> provisioning.
>     >>
>     >> PIV doesn't fit your bank-case.
>     >>
>     >> That people outside the Feds doesn't have card readers is
>     >> also an indication how "off" this thing would be as a
>     >> foundation for a vibrant identity ecosystem.
>     >
>     > NSTIC is not about PIV. 
> 
>     The existing US government vendors believe that.  Not PIV
>     the Federal gov card but PIV as host for NSTIC credentials.
> 
>     > I believe many people involved with
>     > NSTIC think PKI certificates, such as those stored in PIV
>     > smart cards, are a thing of the past, to be replaced with
>     > "privacy-enhanced" credentials such as Idemix anonymous
>     > credentials or U-Prove tokens.  I myself think PKI
>     > certificates have an important role to play going forward,
>     > coexisting with privacy-enhanced credentials.
> 
>     Here we are exactly on the same page.
> 
>     > NSTIC is still pretty much a blank slate.  The first
>     > workshop on technology has not taken place yet.  I'm told it
>     > will take place in the Bay Area during the week of September
>     > 19.  I encourage you to attend and contribute your ideas.
> 
>     They are not ready for such ideas since it involves risks.
>     On-line provision which we both suggest (albeit in fairly
>     different ways) is out of scope for these guys which is not
>     surprising given the current state-of-the-art.
> 
>     >> Platform = HW + SW.
> 
>     Anders
> 
> 
> 
Received on Thursday, 21 July 2011 06:30:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 21 July 2011 06:30:22 GMT